FTC allows 'selfies' for parental consent under COPPA

Rules under the Children’s Online Privacy Protection Act require websites and online services directed at children to take the consent of the child's parent before collecting personal information of the child.

The U.S. Federal Trade Commission, after a long debate including public comment, has allowed the use of a new method involving facial recognition and phone or webcam photographs of parents to verify that the person providing consent for a child to use an online service is indeed the child’s parent.

The COPPA Rule currently allows parents to mail, fax or send electronic scans of consent forms, call specified toll-free numbers with their consent, or use their bank or credit cards for payments. One method in use involves checking government-issued identification documents submitted by parents against databases with such information, but the new system proposed seems to attempt to do the verification entirely by using imaging and face recognition technology.

The system, called “face match to verified photo identification” (FMVPI), was proposed by a regulatory compliance services company called Riyo. The method requires the parent to submit a snap of a personal photo ID, such as a driver's license or passport, which is verified using computer vision and image forensics technology to ensure that it is a genuine government-issued document.

The parent then submits a selfie, taken with a phone camera or webcam, which the system then compares using facial recognition technology to ascertain whether the person on the photo ID is the same person as in the second photo. Both images are then reviewed by trained persons.

Once the verification and consent process is completed, the identification information submitted by the parent will be deleted within five minutes, according to the FTC. Riyo's application makes clear that the information collected will be promptly destroyed and not used for any other purpose, it added.

The method has its limitations as children could use their own photo IDs, such as passports that are issued to children that are minors, or photo ids of older siblings or friends to grant themselves parental consent, the Center for Digital Democracy said in September in comments to the FTC.

The system can be circumvented by children as it would ensure that the person in the photo ID is the same person in the second photo taken of themselves, but will not verify that the person is actually the parent of the child, according to the consumer advocacy group. It also questioned the reliability and accuracy of facial recognition technologies and the privacy implications in terms of the data that can be extracted from the photo ID.

But in a letter released Thursday, the FTC has approved by 4-0 votes the Riyo proposal after determining that the proposed verifiable parent consent (VPC) mechanism is “reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.”

The agency said that in comparison to facial recognition that tries to match one image against a database of millions of images, "identity verification via facial recognition technology can be reasonably reliable for purposes of determining whether an individual pictured in a government-issued identification is the same person in the second image."

Referring to concerns that the facial recognition process could simply be authenticating a child, seeking to circumvent the system, the FTC observed that the software does an automated check of the individual’s birth date and thus blocks "efforts by underage users who possess their own valid documents to authenticate."

CDD Executive Director Jeff Chester wrote in an email Thursday that child privacy advocates had scored a significant victory as the FTC had ordered Riyo to immediately destroy any data it gathers from a child or parent. The organization holds, however, that the mechanism for parental consent using facial recognition is ill-advised. "While facial recognition technology has many applications, its role protecting children's privacy is unproven," Chester added.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.